NodeSource Certified Modules for Node.js Now Generally Available

NodeSource, an enterprise-grade tools provider focusing on the continued support of the Node.js ecosystem, has announced that NodeSource Certified Modules for Node.js are now generally available. NodeSource Certified Modules is a hosted product that provides an evaluation of publicly available Node.js modules to ensure that each module meets specific criteria related to security, license compliance, and package integrity. The Certified Modules product includes a NodeSource registry of certified Node.js modules with "trust scores" assigned to each package, and a command-line utility called nscm that can be used to check module versions, view trust scores, and whitelist non-certified packages. NodeSource introduced its Certified Modules product this past November, and the product was created to ensure that the Node.js modules developers use are safe, secure and reliable.

There are more than 400,000 publicly available Node.js modules many of which are not well-maintained, not up to date, and not without security vulnerabilities. NodeSource created the Certified Modules product to mitigate the risks of using third-party Node.js modules, and eliminate the need for developers to spend time testing and verifying that the Node.js modules they choose are safe to use. Certified Modules customers receive their own instance of the npm registry, but with NodeSource's certification applied to the contents (the modules). Customers can whitelist modules that don't yet meet the certification requirements, but they are taking a risk if they use them.

NodeSource has built a proprietary certification algorithm that performs a rigorous analysis of Node.js modules. The certification process evaluates each npm package within a registry and then calculates a quantitative trust score. Part of the process involves the algorithm determining the trust score by analyzing modules for vulnerabilities, license compliance, and package integrity. The algorithm checks npm modules for known security vulnerabilities. Joe McCann, CEO of NodeSource, told ProgrammableWeb that "to date, 15% of all modules on npm have a known security vulnerability, and we do not certify packages that have known security vulnerability."

While 15% of all modules on npm have a known security vulnerability, and some are not well-maintained and up to date, most npm modules meet NodeSource's certification requirements. "The number is fluctuating but on average we've found about 75-80% of all packages are certified," said McCann. "Moreover, we run the certification process against every version of every package, which gets into the millions. The 75-80% number still holds up. Over time, we expect this number to approach 100% as module authors have reached out to us to find out how they can improve their certification score."

The Certified Modules product also includes real-time monitoring of security vulnerabilities which identifies emerging risks for each module NodeSource certifies. McCann said that "the npm registry has a real-time "changes" feed so any time there is a new package published or a module is updated, we find out about it and run our certification algorithm against the new or updated package."

"Today's developers have been faced with the significant burden of hundreds of thousands of unreliable packages available on npm. At NodeSource, we've created a groundbreaking product that is solving a critical need for Node.js users by eliminating the unknown in open source," stated McCann for the press release. "We've taken the pain out of choosing Node modules and show our customers, based on our certification process, which modules are safe, secure and reliable and which ones are not."